Your TV might be watching you
Your TV might be watching you
By Erica Fink and Laurie Segall @CNNMoney August 1, 2013: 11:32 AM ET
LAS VEGAS (CNNMoney) Today's high-end televisions are
almost all equipped with "smart" PC-like features, including Internet
connectivity, apps, microphones and cameras. But a recently discovered security
hole in some Samsung Smart TVs shows that many of those bells and whistles
aren't ready for prime time.
The flaws in Samsung Smart TVs, which have now been
patched, enabled hackers to remotely turn on the TVs' built-in cameras without
leaving any trace of it on the screen. While you're watching TV, a hacker
anywhere around the world could have been watching you. Hackers also could have
easily rerouted an unsuspecting user to a malicious website to steal bank
account information.
Samsung quickly fixed the problem after security
researchers at iSEC Partners informed the company about the bugs. Samsung sent
a software update to all affected TVs.
But the glitches speak to a larger problem of gadgets
that connect to the Internet but have virtually no security to speak of.
Security cameras, lights, heating control systems and
even door locks and windows are now increasingly coming with features that
allow users to control them remotely. Without proper security controls, there's
little to stop hackers from invading users' privacy, stealing personal
information or spying on people.
In the case of Samsung Smart TVs, iSEC researchers found
that they could tap into the TV's Web browser with ease, according to iSEC
security analyst Josh Yavor. That gave hackers access to all the functions
controlled by the browser, including the TV's built-in camera.
"If there's a vulnerability in any application,
there's a vulnerability in the entire TV," said Aaron Grattafiori, also an
analyst at iSEC.
Yavor and Grattafiori were also able to hack the browser
in such a way that users would be sent to any website of the hacker's choosing.
While the hack would have been obvious if the website on the screen didn't
match the desired address, Yavor says there could be serious implications if a
bad actor sent a user to a lookalike banking page and retrieved a user's
credentials.
The research was conducted on different models of 2012
Samsung Smart TVs and was presented this week at the Black Hat cybersecurity
conference in Las Vegas.
In a statement to CNNMoney, Samsung said it takes user
safety very seriously. Addressing the camera flaw, a company spokesperson said,
"The camera can be turned into a bezel of the TV so that the lens is
covered, or disabled by pushing the camera inside the bezel. The TV owner can
also unplug the TV from the home network when the Smart TV features are not in
use."
Samsung also recommends that customers use encrypted
wireless access points.
The iSEC crew said they remain skeptical that the technology
is perfectly secure, even after Samsung patched the bugs.
"We know that the way we were able to do this has
been fixed; it doesn't mean that there aren't other ways that could be
discovered in the future, " Yavor said.
Companies like Samsung pay hackers when they report
security vulnerabilities like the ones iSEC found. The researchers are iSEC
confident that there are more undetected flaws in these devices that they are
running a fund-raiser off of finding bugs in Smart TVs at technology conference
Def Con later this week.
Yavor and Grattafiori say users should run regular
updates from vendors like they would for anti-virus definitions or system
updates on the smartphone.
And when all else fails, users can always put tape over
their cameras.
Comments
Post a Comment